fiddle with ca cert gen options

this is because s6-tlsclient refused to connect with Not a CA, or path length constraint violation. (BR_ERR_X509_NOT_CA) error
2024-10-02 00:26:44 +01:00 · 2024-10-02 00:26:44 +01:00 · 3aa3bacae9
commit 3aa3bacae9
parent cc3e695174
1 changed files with 1 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -36,7 +36,7 @@ chmod 0700 psk

 # create CA key and cert used for signing
 openssl genrsa -out ca.key 4096
-CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
+CN=CA openssl req -config openssl.cnf -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

 # create key for the server and sign it with the CA
 CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr